I have configure a site to site vpn between home and office.
I would like only some devices at home to be accessible from office, however it seem to ignore all firewall rules I set.
Here is an image of my settings in zones:
home_jens is the interface for my vpn, and I want to prevent any traffic from this vpn that I have not explicitly allowed using a firewall rule. Input and Forward are set to reject and I did hit save and apply.
I also have a custom rule like this:
iptables -t nat -A POSTROUTING -o home_jens -j ACCEPT
It is to make sure that traffic is not NATed, since I want both sides to be able to reach eachothers ip ranges. I tried commenting this out and restarted firewall but nothing changes.
So all devices at office can still reach all devices at home.
Looking at traffic rules I only opened up for traffic from WAN. Same with port forwards, opened some ports but only for wan.
Anywhere else I can check? Is it something I forgot? Seem like OpenVPN bypassess all my firewall rules
Delete the forwarding from
Thanks @krazeh totally makes sense and works as I would like it to
There's no need, unless you explicitly enable masquerading for the VPN zone.
Oh @vgaetera I thought I had to
I have a couple of ipsec vpns and there I need to do this. If not it masquarades the ip and nothing works.
Is Openvpn and strongswan different i respect to masquarading?
If you assign the VPN interface to the WAN firewall zone, then it will use masquerading.
Otherwise, this should be reported as a bug, since the VPN service should not alter runtime firewall configuration without explicit consent.
@vgaetera I agree it is odd
Regarding the strongswan VPNs I have scratched my head regarding why it masquerades the IP addresses even though I did not set the particular interface to masquraded... But this seems to basic so that I would assume there must be something with my configuration that make the interfaces masquaraded...
You can inspect the runtime configuration:
iptables-save | grep -e MASQUERADE -e SNAT